Symantec tested and validated that Fortinet® firewall devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure
demonstrates the pre-shared secret method, which requires a unique gateway IP address.
This procedure provides a guideline configuration that you can apply to the above model or other Fortinet models. It is likely that you have an existing Fortinet device configured in your network; therefore, slight alterations to the existing deployment might be required.
The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security
Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.
Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.
Prerequisite—Verify that the device is ready for configuration.
This procedure assumes that the Fortigate appliance is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service.
Tip: If a parameter change is not described here, the default is acceptable.
(Optional, but recommended) For failover, repeat Steps 1 and 2 to create backup VPN tunnel that directs traffic to another regional Web Security Service datacenter. When complete, the device displays VPN configurations similar to the following:
Symantec testing indicates that Data Center failover is provided without any additional configuration.
If a Web Security Service data center location IP address becomes unresponsive, the Fortinet device takes the appropriate interface down and the route policies will not apply. The next route policies are used instead, which sends traffic to the backup data center.
Fortinet provides an optional setting for the backup interface to monitor the primary. Testing did not indicate a difference in failover results when set, but you can set this option. Follow the commands in the Fortinet CLI example to setup monitoring.